1. 30 Sep, 2016 3 commits
    • Xin Long's avatar
      sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock · 1cceda78
      Xin Long authored
      When sctp dumps all the ep->assocs, it needs to lock_sock first,
      but now it locks sock in rcu_read_lock, and lock_sock may sleep,
      which would break rcu_read_lock.
      This patch is to get and hold one sock when traversing the list.
      After that and get out of rcu_read_lock, lock and dump it. Then
      it will traverse the list again to get the next one until all
      sctp socks are dumped.
      For sctp_diag_dump_one, it fixes this issue by holding asoc and
      moving cb() out of rcu_read_lock in sctp_transport_lookup_process.
      Fixes: 8f840e47 ("sctp: add the sctp_diag.c file")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Xin Long's avatar
      sctp: change to check peer prsctp_capable when using prsctp polices · be4947bf
      Xin Long authored
      Now before using prsctp polices, sctp uses asoc->prsctp_enable to
      check if prsctp is enabled. However asoc->prsctp_enable is set only
      means local host support prsctp, sctp should not abandon packet if
      peer host doesn't enable prsctp.
      So this patch is to use asoc->peer.prsctp_capable to check if prsctp
      is enabled on both side, instead of asoc->prsctp_enable, as asoc's
      peer.prsctp_capable is set only when local and peer both enable prsctp.
      Fixes: a6c2f792 ("sctp: implement prsctp TTL policy")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Xin Long's avatar
      sctp: remove prsctp_param from sctp_chunk · 0605483f
      Xin Long authored
      Now sctp uses chunk->prsctp_param to save the prsctp param for all the
      prsctp polices, we didn't need to introduce prsctp_param to sctp_chunk.
      We can just use chunk->sinfo.sinfo_timetolive for RTX and BUF polices,
      and reuse msg->expires_at for TTL policy, as the prsctp polices and old
      expires policy are mutual exclusive.
      This patch is to remove prsctp_param from sctp_chunk, and reuse msg's
      expires_at for TTL and chunk's sinfo.sinfo_timetolive for RTX and BUF
      Note that sctp can't use chunk's sinfo.sinfo_timetolive for TTL policy,
      as it needs a u64 variables to save the expires_at time.
      This one also fixes the "netperf-Throughput_Mbps -37.2% regression"
      Fixes: a6c2f792 ("sctp: implement prsctp TTL policy")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  2. 27 Sep, 2016 3 commits
  3. 25 Sep, 2016 1 commit
    • Nikolay Aleksandrov's avatar
      ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route · 2cf75070
      Nikolay Aleksandrov authored
      Since the commit below the ipmr/ip6mr rtnl_unicast() code uses the portid
      instead of the previous dst_pid which was copied from in_skb's portid.
      Since the skb is new the portid is 0 at that point so the packets are sent
      to the kernel and we get scheduling while atomic or a deadlock (depending
      on where it happens) by trying to acquire rtnl two times.
      Also since this is RTM_GETROUTE, it can be triggered by a normal user.
      Here's the sleeping while atomic trace:
      [ 7858.212557] BUG: sleeping function called from invalid context at kernel/locking/mutex.c:620
      [ 7858.212748] in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper/0
      [ 7858.212881] 2 locks held by swapper/0/0:
      [ 7858.213013]  #0:  (((&mrt->ipmr_expire_timer))){+.-...}, at: [<ffffffff810fbbf5>] call_timer_fn+0x5/0x350
      [ 7858.213422]  #1:  (mfc_unres_lock){+.....}, at: [<ffffffff8161e005>] ipmr_expire_process+0x25/0x130
      [ 7858.213807] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.8.0-rc7+ #179
      [ 7858.213934] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 7858.214108]  0000000000000000 ffff88005b403c50 ffffffff813a7804 0000000000000000
      [ 7858.214412]  ffffffff81a1338e ffff88005b403c78 ffffffff810a4a72 ffffffff81a1338e
      [ 7858.214716]  000000000000026c 0000000000000000 ffff88005b403ca8 ffffffff810a4b9f
      [ 7858.215251] Call Trace:
      [ 7858.215412]  <IRQ>  [<ffffffff813a7804>] dump_stack+0x85/0xc1
      [ 7858.215662]  [<ffffffff810a4a72>] ___might_sleep+0x192/0x250
      [ 7858.215868]  [<ffffffff810a4b9f>] __might_sleep+0x6f/0x100
      [ 7858.216072]  [<ffffffff8165bea3>] mutex_lock_nested+0x33/0x4d0
      [ 7858.216279]  [<ffffffff815a7a5f>] ? netlink_lookup+0x25f/0x460
      [ 7858.216487]  [<ffffffff8157474b>] rtnetlink_rcv+0x1b/0x40
      [ 7858.216687]  [<ffffffff815a9a0c>] netlink_unicast+0x19c/0x260
      [ 7858.216900]  [<ffffffff81573c70>] rtnl_unicast+0x20/0x30
      [ 7858.217128]  [<ffffffff8161cd39>] ipmr_destroy_unres+0xa9/0xf0
      [ 7858.217351]  [<ffffffff8161e06f>] ipmr_expire_process+0x8f/0x130
      [ 7858.217581]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.217785]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.217990]  [<ffffffff810fbc95>] call_timer_fn+0xa5/0x350
      [ 7858.218192]  [<ffffffff810fbbf5>] ? call_timer_fn+0x5/0x350
      [ 7858.218415]  [<ffffffff8161dfe0>] ? ipmr_net_init+0x180/0x180
      [ 7858.218656]  [<ffffffff810fde10>] run_timer_softirq+0x260/0x640
      [ 7858.218865]  [<ffffffff8166379b>] ? __do_softirq+0xbb/0x54f
      [ 7858.219068]  [<ffffffff816637c8>] __do_softirq+0xe8/0x54f
      [ 7858.219269]  [<ffffffff8107a948>] irq_exit+0xb8/0xc0
      [ 7858.219463]  [<ffffffff81663452>] smp_apic_timer_interrupt+0x42/0x50
      [ 7858.219678]  [<ffffffff816625bc>] apic_timer_interrupt+0x8c/0xa0
      [ 7858.219897]  <EOI>  [<ffffffff81055f16>] ? native_safe_halt+0x6/0x10
      [ 7858.220165]  [<ffffffff810d64dd>] ? trace_hardirqs_on+0xd/0x10
      [ 7858.220373]  [<ffffffff810298e3>] default_idle+0x23/0x190
      [ 7858.220574]  [<ffffffff8102a20f>] arch_cpu_idle+0xf/0x20
      [ 7858.220790]  [<ffffffff810c9f8c>] default_idle_call+0x4c/0x60
      [ 7858.221016]  [<ffffffff810ca33b>] cpu_startup_entry+0x39b/0x4d0
      [ 7858.221257]  [<ffffffff8164f995>] rest_init+0x135/0x140
      [ 7858.221469]  [<ffffffff81f83014>] start_kernel+0x50e/0x51b
      [ 7858.221670]  [<ffffffff81f82120>] ? early_idt_handler_array+0x120/0x120
      [ 7858.221894]  [<ffffffff81f8243f>] x86_64_start_reservations+0x2a/0x2c
      [ 7858.222113]  [<ffffffff81f8257c>] x86_64_start_kernel+0x13b/0x14a
      Fixes: 2942e900 ("[RTNETLINK]: Use rtnl_unicast() for rtnetlink unicasts")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  4. 24 Sep, 2016 1 commit
  5. 23 Sep, 2016 4 commits
  6. 22 Sep, 2016 3 commits
  7. 21 Sep, 2016 1 commit
    • Nicolas Dichtel's avatar
      vti6: fix input path · 63c43787
      Nicolas Dichtel authored
      Since commit 1625f452, vti6 is broken, all input packets are dropped
      (LINUX_MIB_XFRMINNOSTATES is incremented).
      XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 is set by vti6_rcv() before calling
      xfrm6_rcv()/xfrm6_rcv_spi(), thus we cannot set to NULL that value in
      A new function xfrm6_rcv_tnl() that enables to pass a value to
      xfrm6_rcv_spi() is added, so that xfrm6_rcv() is not touched (this function
      is used in several handlers).
      CC: Alexey Kodanev <alexey.kodanev@oracle.com>
      Fixes: 1625f452 ("net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key")
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarSteffen Klassert <steffen.klassert@secunet.com>
  8. 20 Sep, 2016 2 commits
    • Nikolay Aleksandrov's avatar
      ipmr, ip6mr: return lastuse relative to now · b5036cd4
      Nikolay Aleksandrov authored
      When I introduced the lastuse member I made a subtle error because it was
      returned as an absolute value but that is meaningless to user-space as it
      doesn't allow to see how old exactly an entry is. Let's make it similar to
      how the bridge returns such values and make it relative to "now" (jiffies).
      This allows us to show the actual age of the entries and is much more
      useful (e.g. user-space daemons can age out entries, iproute2 can display
      the lastuse properly).
      Fixes: 43b9e127 ("net: ipmr/ip6mr: add support for keeping an entry age")
      Reported-by: default avatarSatish Ashok <sashok@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Vincent Bernat's avatar
      net: ipv6: fallback to full lookup if table lookup is unsuitable · a435a07f
      Vincent Bernat authored
      Commit 8c14586f ("net: ipv6: Use passed in table for nexthop
      lookups") introduced a regression: insertion of an IPv6 route in a table
      not containing the appropriate connected route for the gateway but which
      contained a non-connected route (like a default gateway) fails while it
      was previously working:
          $ ip link add eth0 type dummy
          $ ip link set up dev eth0
          $ ip addr add 2001:db8::1/64 dev eth0
          $ ip route add ::/0 via 2001:db8::5 dev eth0 table 20
          $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20
          RTNETLINK answers: No route to host
          $ ip -6 route show table 20
          default via 2001:db8::5 dev eth0  metric 1024  pref medium
      After this patch, we get:
          $ ip route add 2001:db8:cafe::1/128 via 2001:db8::6 dev eth0 table 20
          $ ip -6 route show table 20
          2001:db8:cafe::1 via 2001:db8::6 dev eth0  metric 1024  pref medium
          default via 2001:db8::5 dev eth0  metric 1024  pref medium
      Fixes: 8c14586f ("net: ipv6: Use passed in table for nexthop lookups")
      Signed-off-by: default avatarVincent Bernat <vincent@bernat.im>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Tested-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  9. 19 Sep, 2016 2 commits
  10. 17 Sep, 2016 2 commits
  11. 16 Sep, 2016 1 commit
    • Mark Tomlinson's avatar
      net: VRF: Pass original iif to ip_route_input() · d6f64d72
      Mark Tomlinson authored
      The function ip_rcv_finish() calls l3mdev_ip_rcv(). On any VRF except
      the global VRF, this replaces skb->dev with the VRF master interface.
      When calling ip_route_input_noref() from here, the checks for forwarding
      look at this master device instead of the initial ingress interface.
      This will allow packets to be routed which normally would be dropped.
      For example, an interface that is not assigned an IP address should
      drop packets, but because the checking is against the master device, the
      packet will be forwarded.
      The fix here is to still call l3mdev_ip_rcv(), but remember the initial
      net_device. This is passed to the other functions within ip_rcv_finish,
      so they still see the original interface.
      Signed-off-by: default avatarMark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
  12. 15 Sep, 2016 1 commit
    • Johannes Berg's avatar
      mac80211: reject TSPEC TIDs (TSIDs) for aggregation · 85d5313e
      Johannes Berg authored
      Since mac80211 doesn't currently support TSIDs 8-15 which can
      only be used after QoS TSPEC negotiation (and not even after
      WMM negotiation), reject attempts to set up aggregation
      sessions for them, which might confuse drivers. In mac80211
      we do correctly handle that, but the TSIDs should never get
      used anyway, and drivers might not be able to handle it.
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
  13. 14 Sep, 2016 1 commit
  14. 13 Sep, 2016 3 commits
    • Johannes Berg's avatar
      nl80211: validate number of probe response CSA counters · ad5987b4
      Johannes Berg authored
      Due to an apparent copy/paste bug, the number of counters for the
      beacon configuration were checked twice, instead of checking the
      number of probe response counters. Fix this to check the number of
      probe response counters before parsing those.
      Cc: stable@vger.kernel.org
      Fixes: 9a774c78 ("cfg80211: Support multiple CSA counters")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    • Xin Long's avatar
      sctp: hold the transport before using it in sctp_hash_cmp · 715f5552
      Xin Long authored
      Since commit 4f008781 ("sctp: apply rhashtable api to send/recv
      path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
      in which it compares the members of the transport with the rhashtable
      args to check if it's the right transport.
      But sctp uses the transport without holding it in sctp_hash_cmp, it can
      cause a use-after-free panic. As after it gets transport from hashtable,
      another CPU may close the sk and free the asoc. In sctp_association_free,
      it frees all the transports, meanwhile, the assoc's refcnt may be reduced
      to 0, assoc can be destroyed by sctp_association_destroy.
      So after that, transport->assoc is actually an unavailable memory address
      in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
      can not avoid this, as assoc is not freed by RCU.
      This patch is to hold the transport before checking it's members with
      sctp_transport_hold, in which it checks the refcnt first, holds it if
      it's not 0.
      Fixes: 4f008781 ("sctp: apply rhashtable api to send/recv path")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Gao Feng's avatar
      netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions · 4440a2ab
      Gao Feng authored
      When memory is exhausted, nfct_seqadj_ext_add may fail to add the
      synproxy and seqadj extensions. The function nf_ct_seqadj_init doesn't
      check if get valid seqadj pointer by the nfct_seqadj.
      Now drop the packet directly when fail to add seqadj extension to
      avoid dereference NULL pointer in nf_ct_seqadj_init from
      Signed-off-by: default avatarGao Feng <fgao@ikuai8.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
  15. 12 Sep, 2016 5 commits
    • Chuck Lever's avatar
      svcauth_gss: Revert 64c59a37 ("Remove unnecessary allocation") · bf2c4b6f
      Chuck Lever authored
      rsc_lookup steals the passed-in memory to avoid doing an allocation of
      its own, so we can't just pass in a pointer to memory that someone else
      is using.
      If we really want to avoid allocation there then maybe we should
      preallocate somwhere, or reference count these handles.
      For now we should revert.
      On occasion I see this on my server:
      kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851!
      kernel: invalid opcode: 0000 [#1] SMP
      kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod
      kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15
      kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015
      kernel: Workqueue: events do_cache_clean [sunrpc]
      kernel: task: ffff8808541d8000 task.stack: ffff880854344000
      kernel: RIP: 0010:[<ffffffff811e7075>]  [<ffffffff811e7075>] kfree+0x155/0x180
      kernel: RSP: 0018:ffff880854347d70  EFLAGS: 00010246
      kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600
      kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064
      kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780
      kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500
      kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0
      kernel: FS:  0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000
      kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0
      kernel: Stack:
      kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0
      kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006
      kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f
      kernel: Call Trace:
      kernel: [<ffffffffa013cf76>] rsc_free+0x16/0x90 [auth_rpcgss]
      kernel: [<ffffffffa013d006>] rsc_put+0x16/0x30 [auth_rpcgss]
      kernel: [<ffffffffa0406f60>] cache_clean+0x2e0/0x300 [sunrpc]
      kernel: [<ffffffffa04073ee>] do_cache_clean+0xe/0x70 [sunrpc]
      kernel: [<ffffffff8109a70f>] process_one_work+0x1ff/0x3b0
      kernel: [<ffffffff8109b15c>] worker_thread+0x2bc/0x4a0
      kernel: [<ffffffff8109aea0>] ? rescuer_thread+0x3a0/0x3a0
      kernel: [<ffffffff810a0ba4>] kthread+0xe4/0xf0
      kernel: [<ffffffff8169c47f>] ret_from_fork+0x1f/0x40
      kernel: [<ffffffff810a0ac0>] ? kthread_stop+0x110/0x110
      kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff
      kernel: RIP  [<ffffffff811e7075>] kfree+0x155/0x180
      kernel: RSP <ffff880854347d70>
      kernel: ---[ end trace 3fdec044969def26 ]---
      It seems to be most common after a server reboot where a client has been
      using a Kerberos mount, and reconnects to continue its workload.
      Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    • Pablo Neira Ayuso's avatar
      netfilter: nf_nat: handle NF_DROP from nfnetlink_parse_nat_setup() · ecfcdfec
      Pablo Neira Ayuso authored
      nf_nat_setup_info() returns NF_* verdicts, so convert them to error
      codes that is what ctnelink expects. This has passed overlook without
      having any impact since this nf_nat_setup_info() has always returned
      NF_ACCEPT so far. Since 870190a9 ("netfilter: nat: convert nat bysrc
      hash to rhashtable"), this is problem.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    • Pedersen, Thomas's avatar
      mac80211: make mpath path fixing more robust · 5df20f21
      Pedersen, Thomas authored
      A fixed mpath was not quite being treated as such:
      1) if a PERR frame was received, a fixed mpath was
      2) queued path discovery for fixed mpath was potentially
         being considered, changing mpath state.
      3) other mpath flags were potentially being inherited when
         fixing the mpath. Just assign PATH_FIXED and SN_VALID.
      This solves several issues when fixing a mesh path in one
      direction. The reverse direction mpath should probably
      also be fixed, or root announcements at least be enabled.
      Signed-off-by: default avatarThomas Pedersen <twp@qca.qualcomm.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    • Felix Fietkau's avatar
      mac80211: fix sequence number assignment for PS response frames · df6ef5d8
      Felix Fietkau authored
      When using intermediate queues, sequence number allocation is deferred
      until dequeue. This doesn't work for PS response frames, which bypass
      those queues.
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
    • Felix Fietkau's avatar
      mac80211: fix tim recalculation after PS response · 83843c80
      Felix Fietkau authored
      Handle the case where the mac80211 intermediate queues are empty and the
      driver has buffered frames
      Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation")
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
  16. 09 Sep, 2016 3 commits
  17. 08 Sep, 2016 2 commits
  18. 06 Sep, 2016 2 commits
    • Wei Yongjun's avatar
      ipv6: addrconf: fix dev refcont leak when DAD failed · 751eb6b6
      Wei Yongjun authored
      In general, when DAD detected IPv6 duplicate address, ifp->state
      will be set to INET6_IFADDR_STATE_ERRDAD and DAD is stopped by a
      delayed work, the call tree should be like this:
        -> addrconf_dad_failure        <- missing ifp put
           -> addrconf_mod_dad_work
             -> schedule addrconf_dad_work()
               -> addrconf_dad_stop()  <- missing ifp hold before call it
      addrconf_dad_failure() called with ifp refcont holding but not put.
      addrconf_dad_work() call addrconf_dad_stop() without extra holding
      refcount. This will not cause any issue normally.
      But the race between addrconf_dad_failure() and addrconf_dad_work()
      may cause ifp refcount leak and netdevice can not be unregister,
      dmesg show the following messages:
      IPv6: eth0: IPv6 duplicate address fe80::XX:XXXX:XXXX:XX detected!
      unregister_netdevice: waiting for eth0 to become free. Usage count = 1
      Cc: stable@vger.kernel.org
      Fixes: c15b1cca ("ipv6: move DAD and addrconf_verify processing
      to workqueue")
      Signed-off-by: default avatarWei Yongjun <weiyongjun1@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    • Mark Tomlinson's avatar
      net: Don't delete routes in different VRFs · 5a56a0b3
      Mark Tomlinson authored
      When deleting an IP address from an interface, there is a clean-up of
      routes which refer to this local address. However, there was no check to
      see that the VRF matched. This meant that deletion wasn't confined to
      the VRF it should have been.
      To solve this, a new field has been added to fib_info to hold a table
      id. When removing fib entries corresponding to a local ip address, this
      table id is also used in the comparison.
      The table id is populated when the fib_info is created. This was already
      done in some places, but not in ip_rt_ioctl(). This has now been fixed.
      Fixes: 021dd3b8 ("net: Add routes to the table associated with the device")
      Acked-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Tested-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarMark Tomlinson <mark.tomlinson@alliedtelesis.co.nz>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>